All of These Could Have Been Prevented l l l Database created by the state of Maryland in 1993 to keep the medical records of all its residents for cost containment purposes was used by state employees to sell confidential information on Medicaid recipients to health maintenance organizations (HMOs), and was accessed by a banker who employed the information to call in the loans of customers who he discovered had cancer. A medical student in Colorado sold the medical records of patients to malpractice lawyers (1997) A convicted child rapist working at a hospital in Newton, Massachusetts, used a former employee's computer password to access nearly 1, 000 patient files to make obscene phone calls to young girls (1995) 7 www. e. Privacy. Group. com - [email protected] Privacy. Group. com - 610. 407. 0400

And All Are Actionable l l l The 13 -year-old daughter of a Jacksonville, Florida, hospital clerk allegedly used a computer at the hospital to print out a list of patients and telephone numbers. She then called several patients and told them that they were infected with HIV. In one case, she also told a female patient that she had a positive pregnancy test; that patient attempted suicide. A study in five Pittsburgh hospitals found that doctors routinely discuss confidential patient information in elevators, even when other people are present (1995). In the not too distant future, incidents like these will be punishable offences under HIPAA, – – But they are also actionable right now And at no time are they acceptable 8 www. e. Privacy. Group. com - [email protected] Privacy. Group. com - 610. 407. 0400

What Would The Reaction Be Today? l l l 1996: Florida state health department worker used a list of 4, 000 HIV positive people to screen dates. List was forwarded to two newspapers (note: this was not a junior clerk but a veteran HRS employee with three masters degrees) “Chicago hospital will pay fines of $161, 000 resulting from claims of unauthorized duplication of software. The hospital apparently did not have an effective information security program for the protection of proprietary software. ” 1997 Physicians at Harvard Community Health Plan routinely put psychiatric notes into computerized medical records, which were accessible to many of the HMO's employees. 1995 9 www. e. Privacy. Group. com - [email protected] Privacy. Group. com - 610. 407. 0400

Security Challenge and Privacy Paradox l l Security Challenge: Organizations must respect and protect privacy wishes of individuals, but security is accustomed to serving the organization, protecting its secrets E. g. when we studied security risks for a large health care company in 1996, security was 100% organizationally focuses, protecting money, assets But a personal privacy breach can cost far more than any other form of security breach Privacy Paradox: People want personal attention but are reluctant to share personal data 10 www. e. Privacy. Group. com - [email protected] Privacy. Group. com - 610. 407. 0400

The Privacy Paradox l l l l In many situations, people want a personalized experience But they are reluctant to divulge personal information In healthcare, professionals need very accurate and very personal information, in order to provide care But they may not get it, for a variety of reasons Throughout society, any gathering of data today is likely to cause privacy concerns to surface A result of adopting information technology faster than we can think about the implications. Which means society as a whole still has a lot more questions than answers – which adds to the challenge 11 www. e. Privacy. Group. com - [email protected] Privacy. Group. com - 610. 407. 0400

Some Consequences of Privacy Paradox l l l People buy less online, people lie more People urge politicians to do something 67% of consumers had not made two or more purchase in the past six months primarily due to privacy reasons. (IDC) 67% of users admit providing false information (Forrester) This is a problem for companies AND consumers And healthcare is no exception 12 www. e. Privacy. Group. com - [email protected] Privacy. Group. com - 610. 407. 0400

Example: Healthcare l One in five American adults believe that a health care provider, insurance plan, government agency, or employer has improperly disclosed personal medical information. Half of these people say it resulted in personal embarrassment or harm. – Health Privacy Project 1999, California Health. Care Foundation, national poll, January 1999 l Only a third of U. S. adults say they trust health plans and government programs to maintain confidentiality all or most of the time. California Health. Care Foundation, national poll, January 1999 13 www. e. Privacy. Group. com - [email protected] Privacy. Group. com - 610. 407. 0400

The Fear is Real, With Adverse Effects l In a recent survey of Fortune 500 companies, only 38% responded that they do not use or disclose employee health information for employment decisions. (Report prepared for Rep. Henry A. Waxman by Minority Staff Special Investigations Division Committee on Government Reform, U. S. House of Representatives April 6, 2000) 15% of American adults say they have done something out of the ordinary to keep medical information confidential. California Health. Care Foundation, national poll, January 1999 14 www. e. Privacy. Group. com - [email protected] Privacy. Group. com - 610. 407. 0400

So What is Personal Information? l According to the Federal Trade Commission (FTC), any of the following: – – – – Full name Physical address E-mail address Social Security Number Telephone number A screen name revealing an e-mail address A persistent identifier, such a number held in cookie, which is combined with personal information Any information tied to personal information -- age, gender, hobbies, preferences, etc. 16 www. e. Privacy. Group. com - [email protected] Privacy. Group. com - 610. 407. 0400

Personally Identifiable Information l Information that relates to an individual who can be identified, directly or indirectly, from the data, particularly by reference to an identification number or aspects of his or her physical, mental, economic, cultural, or social identity. l Which one or two of the following are your greatest concerns over the next century? – – – – Loss of privacy 29% Overpopulation 23% Terrorist acts 23% Racial tensions 17% World War 16% Global warming 14% Economic depression 13% l 17 NBC News/ WSJ - Sept. 1999 www. e. Privacy. Group. com - [email protected] Privacy. Group. com - 610. 407. 0400

Privacy Concerns Are Far-Reaching l l Out of a list of eight policy issues, 56% of adults responded that they are “very concerned” about a loss of personal privacy. The category came in second out of the eight, beating out such topics as healthcare, crime and taxes. – l Harris Poll, October 2000 Healthcare impacts not confined to care, many areas of medical research are also negatively impacted 18 www. e. Privacy. Group. com - [email protected] Privacy. Group. com - 610. 407. 0400

Recap on Why Privacy Is Important Today l The issue of privacy could be a decisive factor in the success of the “New Economy” – – l Organizations of all kinds are struggling with issues – l Unable to comply or track the evolving multitude of laws, regulations and best practices People of all kinds are struggling with issues – l Consumers getting vocal and press coverage spreading (KGAB) U. S. Congress and 50 statehouses are responding with a patchwork of privacy, anti-spam and cybercrime bills One reason this is so hard? We don’t know what to think (for an example, check out today’s privacy scenarios, CO-DMV ) Consumer trust confidence with respect to privacy are essential for the adoption and use of interactive technologies which fuel may areas of the economy, from pharmacies to disease management 20 www. e. Privacy. Group. com - [email protected] Privacy. Group. com - 610. 407. 0400

Not Just Our Opinion l l To survive mounting consumer anxiety and the growing labyrinth of US and foreign regulation, firms need to institutionalize their commitment to protecting and managing their customers’ privacy by taking a comprehensive, whole-view approach to privacy. Anyone today who thinks the privacy issue has peaked is greatly mistaken. As with environmentalism [in the 60 s] we are in the early stages of a sweeping change in attitudes that will fuel years of political battles and put once-routine business practices under the microscope. l Forrester Report, February 2001 21 www. e. Privacy. Group. com - [email protected] Privacy. Group. com - 610. 407. 0400

II. The Regulatory Landscape l l l There are healthcare specific laws, such as HIPAA and the Common Rule But these exist in the context of a wider framework of regulation Including – – l State Laws (these are many and varied) Foreign Laws Many are based on core tenets of Fair Information Practices (FTC) – – General & Industry Specific Privacy of Children (COPPA) Privacy of Financial Information (Gramm-Leach-Bliley) Privacy of Medical Information (HIPAA) 22 www. e. Privacy. Group. com - [email protected] Privacy. Group. com - 610. 407. 0400

GLB: Subtitle A – Disclosure of Nonpublic Personal Information l Each financial institution has an affirmative and continuing obligation to – – l Respect the privacy of its customers; Protect security and confidentiality of customers' nonpublic PI. Financial Institution Prohibited from disclosing nonpublic PI to a nonaffiliated 3 rd party (either directly, or through an affiliate), unless: – – – Disclosed to the consumer, in a clear and conspicuous manner, that the PI may be disclosed to such 3 rd party; Given the consumer an opportunity to direct that the PI not be disclosed; and Described the manner in which the consumer can exercise the nondisclosure option. 27 www. e. Privacy. Group. com - [email protected] Privacy. Group. com - 610. 407. 0400

GLB: Subtitle B - Fraudulent Access to Financial Information l l l Prohibits obtaining (or attempting to obtain) customer information of a financial institution relating to another person by false or fraudulent means. Prohibits a person from causing to be disclosed or attempting to cause to be disclosed to any person, customer information of a financial institution relating to another person by false or fraudulent means. These prohibitions apply whether the wrongdoer aims the fraud at the financial institution or directly at the customer. 28 www. e. Privacy. Group. com - [email protected] Privacy. Group. com - 610. 407. 0400

COPPA l l l The Children's Online Privacy Protection Act (COPPA), enacted October 1998, with a requirement that FTC issue and enforce rules. The primary goal is to place parents in control over what information is collected from their children online. COPPA applies to: – – Operators of commercial websites and online services directed to children under 13 that collect personal information (“PI”) from children, Operators of general audience sites with actual knowledge that they are collecting PI from children under 13. 30 www. e. Privacy. Group. com - [email protected] Privacy. Group. com - 610. 407. 0400

Under COPPA You Must Do 6 Things 1. 2. 3. 4. 5. 6. Post clear and comprehensive Privacy Policies describing information practices for children; Obtain verifiable parental consent before collecting PI, with limited exceptions (e. g. , usually by fax, telemarketing); Give parents choice to consent to the collection of the PI, but not its disclosure to 3 rd parties; Provide parents access to their child's personal information to review and/or have it deleted; Give parents the opportunity to prevent further collection or use of the information; Maintain the confidentiality, security, and integrity of information collected. Note: COPPA prohibits conditioning a child's participation in an online activity on providing more PI than is reasonably necessary to participate in that activity. 31 www. e. Privacy. Group. com - [email protected] Privacy. Group. com - 610. 407. 0400

HIPAA Irony? l l Passed in 1996. Gave Congress ample time to draft the privacy and security parts But congress declined, so Department of Health and Human Services wrote them and they became law by default For the past 8 years, Congress has also failed to pass a patients’ bill of rights or a medical privacy act, but HIPAA provides elements of both, with little input from Congress 36 www. e. Privacy. Group. com - [email protected] Privacy. Group. com - 610. 407. 0400

HIPAA Privacy Rule & Covered Entities l l Privacy Rule applies to health plans, health care clearinghouses, and certain health care providers. Providers and plans often require assistance with healthcare functions from contractors and other businesses Privacy Rule allows providers and plans to give protected health information (PHI) to these "business associates, " Such disclosures can only be made if the provider or plan obtains, typically by contract, satisfactory assurances that the business associate will – – – use the information only for purposes for which they were engaged by the covered entity, safeguard the information from misuse, help the covered entity comply with the covered entity's duties to provide individuals with access to health information about them 38 www. e. Privacy. Group. com - [email protected] Privacy. Group. com - 610. 407. 0400

Covers More Entities Than Expected/Hoped l Covered Entities: – l Business Associates – l All healthcare organizations. This includes all health care providers, health plans, employers, public health authorities, life insurers, clearinghouses, billing agencies, information systems vendors, service organizations, and universities. Perform functions involving PHI (PHI may be disclosed to a business associate only to help the providers and plans carry out their health care functions - not for independent use by the business associate). Hybrid Entities – Legal entities that cannot be differentiated into units with their own legal identities yet qualify as a covered entity although covered functions are not its primary functions. 39 www. e. Privacy. Group. com - [email protected] Privacy. Group. com - 610. 407. 0400

DHHS Timeline Notices of Proposed Rule Making (NPRMs) Already Published: Standard Date of Pub Final Rule Publication Compliance Date Transactions and Code Sets 5/07/1998 Published 8/17/2000 10/16/2002 With exceptions. National Provider Identifier National Employer Identifier 5/07/1998 2002 6/16/1998 2002 Security 8/12/1998 2002 Privacy 11/3/1999 Published 12/28/2000 4/14/2003 Qualifying for a Delay in Compliance to the Transactions and Code Sets Rule On December 27 th, President Bush signed HR 3323, thereby enabling entities covered by HIPAA to delay compliance with the Transactions and Code Sets Rule by one full year until October 16, 2003. To qualify for the deadline extension, entities must submit a compliance plan to the Secretary of DHHS by October 16, 2002. The plan must include a budget, schedule, work plan, and implementation strategy for achieving compliance. The bill confirms that the compliance date of the Privacy Rule, April 14, 2003, is not affected. 40 www. e. Privacy. Group. com - [email protected] Privacy. Group. com - 610. 407. 0400

What Does HIPAA Mean In Terms of Privacy? l 164. 502 Uses and disclosures of protected health information: general rules. – l (a) Standard. A covered entity may not use or disclose protected health information, except as permitted or required by this subpart or by subpart C of part 160 of this subchapter. 164. 530 Administrative requirements. – (c)(1) Standard: safeguards. A covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information. 45 www. e. Privacy. Group. com - [email protected] Privacy. Group. com - 610. 407. 0400

What Does This Mean? l l Patients will have the right to review and copy their medical records, as well as request amendments and corrections to these records Physicians must obtain written permission from patients before information for routine matters such as billing and treatment can be shared with others Health care providers and plans must tell patients to whom they are disclosing their information, how it is being used IIHI must be protected at all times, disclosed only when necessary, and only as much as necessary 46 www. e. Privacy. Group. com - [email protected] Privacy. Group. com - 610. 407. 0400

Practical Implications l l l Besides the changes in business practices Providers and insurance companies must rewrite contracts with business partners such as auditors, attorneys, consultants, even the janitors, to ensure that they adhere to the privacy rules. Many unwritten rules must be written down, and some will need to be changed 48 www. e. Privacy. Group. com - [email protected] Privacy. Group. com - 610. 407. 0400

Your Best Bet? l l Find out if covered, what covered, now Begin education now – – l l Lack of HIPAA specific privacy training? No problem (common body of knowledge, Fair Information Practice Principles, OECD, etc. ) Act in spirit of the act and document efforts Document all decisions with respect to IIHI – – Why you handle the way you do Why you protect the way you do 49 www. e. Privacy. Group. com - [email protected] Privacy. Group. com - 610. 407. 0400

HIPAA Is Also About Healthcare Security l l l Paraphrase: “appropriate safeguards to protect the privacy of health information. ” That is, to ensure privacy you need security. But HIPAA 160 is not specific about security: – – Implementation specification: safeguards. A covered entity must reasonably safeguard protected health information from any intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications or other requirements of this subpart. 55 www. e. Privacy. Group. com - [email protected] Privacy. Group. com - 610. 407. 0400

IV. Healthcare Privacy Beyond HIPAA l Other government agencies have been aggressive in pursuing privacy violations. – – l Some States have also been active. – l FTC pursuing COPPA and G-L-B violators Other agencies may seek to get into the action Individual states acting alone as well as combined actions among multiple states. Given current consumer sentiment on privacy, it is to be expected that some public officials will “get tough on privacy. ” 57 www. e. Privacy. Group. com - [email protected] Privacy. Group. com - 610. 407. 0400

The Common Rule Governing Research l l Federal Policy for the Protection of Human Subjects Research is “a systematic investigation including research development, testing and evaluation designed to develop or contribute to generalizable knowledge. ” Can include a wide variety of activities including: experiments, observational studies, surveys, and tests designed to contribute to generalizable knowledge. Generally not such operational activities as: medical care, quality assurance, quality improvement, certain aspects of public health practice such as routine outbreak investigations and disease monitoring, program evaluation, fiscal or program audits, journalism, history, biography, philosophy, "fact-finding" inquiries such as criminal, civil and congressional investigations, intelligence gathering. 58 www. e. Privacy. Group. com - [email protected] Privacy. Group. com - 610. 407. 0400

But Not Common Interpretation l l The Department of Health and Human Services (HHS) regulations [45 CFR part 46] apply to research involving human subjects conducted by the HHS or funded in whole or in part by the HHS. The Food and Drug Administration (FDA) regulations [21 CFR parts 50 and 56] apply to research involving products regulated by the FDA. Federal support is not necessary for the FDA regulations to be applicable. When research involving products regulated by the FDA is funded, supported or conducted by FDA and/or HHS, both the HHS and FDA regulations apply. FDA has not said much about how HIPAA may affect confidentiality of subjects of research 59 www. e. Privacy. Group. com - [email protected] Privacy. Group. com - 610. 407. 0400

Common Rule, HIPAA, and IRBs l l l A covered entity (under HIPAA) may use or disclose PHI for research without an authorization if it obtains a valid waiver approved by an Institutional Review Board (“IRB”) or a Privacy Board. Otherwise HIPAA requires a covered entity that creates PHI for the purpose of research that includes treatment of individuals to obtain an authorization for the use or disclosure of such information. HIPAA’s requirements for authorization and the Common Rule’s requirements for informed consent are distinct. Under HIPAA, a patient’s authorization will be used for the use and disclosure of PHI for research purposes. In contrast, an individual’s informed consent as required by the Common Rule and FDA’s human subjects regulations is consent to participate in the research study as a whole, not merely consent for the research use or disclosure of PHI. Where all of these rules and regulations are applicable, each of the applicable regulations will need to be followed. 60 www. e. Privacy. Group. com - [email protected] Privacy. Group. com - 610. 407. 0400

Healthcare Privacy and the FTC l l Aggressive privacy stance – non-healthcare examples: Gramm-Leach-Bliley – l Washington, April 18, 2001 Three brokers caught by an FTC sting operation have been charged with violating privacy provisions in the Gramm-Leach-Bliley Act. That 1999 law made it a crime to use deception to obtain and resell bank account balances, information on stock portfolios and other financial records. COPPA – Washington, April 20, 2001: As part of a crackdown on Internet sites that collect personal information from children without their parents' permission, the Federal Trade Commission announced yesterday that three online companies have agreed to pay $100, 000 in fines to settle charges that they violated federal law. 61 www. e. Privacy. Group. com - [email protected] Privacy. Group. com - 610. 407. 0400

FTC Examples (4 of 4): Eli Lilly Case l l l As part of prozac. com, Eli Lilly sent out individual email reminders to 700 people who used their reminder service But when Lilly discontinued the service, June 01, the notice was sent to the entire list, using “cc” and not “bcc” and thus revealing addresses of recipients to all The ACLU asked FTC to investigate as an “unfair or deceptive trade practice” because customers had been led to believe that their identities would be kept secret. ” Incident was an “accident” but occurred because of a lack of privacy awareness on part of employees handling the mailing program Immediate damage – company banned ALL outbound email with more than one recipient (imagine!) 64 www. e. Privacy. Group. com - [email protected] Privacy. Group. com - 610. 407. 0400

Lilly FTC Update 1/2 l l The proposed FTC settlement would prevent Lilly from making further misrepresentations about the extent to which they maintain and protect the privacy or confidentiality of any personal information collected from or about consumers. Lilly would be required to establish and maintain a fourstage information security program – designed to establish and maintain reasonable and appropriate administrative, technical, and physical safeguards to protect consumers' personal information against any reasonably anticipated threats or hazards to its security, confidentiality, or integrity, and to protect such information against unauthorized access, use, or disclosure. 65 www. e. Privacy. Group. com - [email protected] Privacy. Group. com - 610. 407. 0400

Lilly FTC Update 2/2 (Try Figuring Costs on This!) l Specifically, Lilly would be required to: – designate appropriate personnel to coordinate and oversee the program; – identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of personal information, including any such risks posed by lack of training, and to address these risks in each relevant area of its operations, whether performed by employees or agents, including: (i) management and training of personnel; (ii) information systems for the processing, storage, transmission, or disposal of personal information; and (iii) prevention and response to attacks, intrusions, unauthorized access, or other information systems failures; – conduct an annual written review by qualified persons, within ninety (90) days after the date of service of the order and yearly thereafter, which shall monitor and document compliance with the program, evaluate the program's effectiveness, and recommend changes to it; and – adjust the program in light of any findings and recommendations resulting from reviews or ongoing monitoring, and in light of any material changes to Lilly's operations that affect the program. 66 www. e. Privacy. Group. com - [email protected] Privacy. Group. com - 610. 407. 0400

(Web) Privacy Policy Topics to Review l l l l l What PII do or might you collect? Why is or may PII be collected? How will it be used? May online and offline merged? Cookies used? Purpose? How does one opt-out generally? Onward transfers? Do or may you enhance data? How? Why? With whom is data shared? Do you co-market? 3 rd Parties collect data (e. g. , ad servers) If you change your policies, how will you let individuals know? Acquisitions? Do consumers have access to their PII? How? Do you secure PII from unauthorized access? Privacy Policy redress? 80 www. e. Privacy. Group. com - [email protected] Privacy. Group. com - 610. 407. 0400

A Definition of Privacy Protection l Privacy Protection is the process of – – – guarding the right of individuals, groups and organizations to control or significantly influence the collection, content and use or transfer of personal information about themselves. 91 www. e. Privacy. Group. com - [email protected] Privacy. Group. com - 610. 407. 0400

While Keeping Systems & Data Available l l l Availability is part of security You need reliability measures, such as fail over and redundancy (in comms as well as systems) Plus incident response plan, in place and tested – l Who does what when things go wrong Plus disaster recovery plan, in place and tested – How do you get back your operation capability and system/data availability after things have gone wrong (fire, theft, flood, earthquake, lightning, tornado, etc) 95 www. e. Privacy. Group. com - [email protected] Privacy. Group. com - 610. 407. 0400

VII. Privacy Trends and Technology l l More laws are coming US enforcement of existing laws is increasing – l Worldwide laws will continue to evolve – – – l FTC under Bush will be aggressive in enforcing current law to forestall pressure for further privacy laws And many are stricter than US laws Transborder data flows are already affected EU Data Protection Directive Privacy Technology – – The tools to keep data safe on systems already exists More tools will emerge to audit privacy policy and measures More tools will be sold for individual privacy protection Surveillance technology will also increase in power and scope 101 www. e. Privacy. Group. com - [email protected] Privacy. Group. com - 610. 407. 0400

VIII. Lessons From Other Industries l l A reputation for privacy and security can provide a competitive advantage 91% of US consumers say they would be more likely to do business with a company that verified its privacy practices with a third party ((Harris, 2002) – – l 62% say third party security verification would allow them to be satisfied with the company 84% think that third party verification should be a requirement Peter Cullen, chief privacy officer at Toronto-based Royal Bank, says there's profit in privacy. – "It is one of the key drivers of a customer's level of commitment and has a significant contribution to overall demand. . . privacy plays a measurable part in how customers decide [to] purchase products and services from us. It brings us more share of the customer's wallet. " 105 www. e. Privacy. Group. com - [email protected] Privacy. Group. com - 610. 407. 0400